You are here: Home » Spanning-Tree

Spanning-Tree LoopGuard and UDLD

If you ever used fiber cables you might have noticed that there is a different connector to transmit and receive traffic.

If one of the cables (transmit or receive) fails we’ll have a unidirectional link failure and this can cause spanning tree loops. There are two protocols that can take care of this problem:

LoopGuard
UDLD ( Unidirectional Link Detection )

Let’s start by taking a close look at what will happen if we have a unidirectional link failure:

Imagine the links between the switches are fiber links. In reality there’s a different connector for transmit and receive. SW3 is receiving BPDUs from SW2 and as a result the interface has become an alternate port and is in blocking mode.

Now something goes wrong…the transmit connector on SW2 towards SW3 was eaten by mice failed due to unknown reasons. As a result SW3 is not receiving any BPDUs from SW2 but it can still send traffic to SW2.

Because SW3 is not receiving anymore BPDUs on its alternate port it will go into forwarding mode. We now have a one way loop as indicated by the green arrow.

One of the methods we can use to solve our unidirectional link failure is to configure LoopGuard. When a switch is sending but not receiving BPDUs on the interface, LoopGuard will place the interface in the loop-inconsistent state and block all traffic:

Let’s take a look what this looks like on actual switches. I will use the same topology:

Let’s enable loopguard:

SW1(config)#spanning-tree loopguard default

SW2(config)#spanning-tree loopguard default

SW3(config)#spanning-tree loopguard default

Use the spanning-tree loopguard default command to enable LoopGuard globally. I don’t have any fiber connectors so I’m unable to create a unidirectional link failure. I can simulate it however by using BPDUfilter on SW2’s fa0/16 interface. SW3 won’t receive any BPDUs anymore on its alternate port which will cause it to go into forwarding mode:

SW2(config)#interface fa0/16
SW2(config-if)#spanning-tree portfast trunk
SW2(config-if)#spanning-tree bpdufilter enable

Here’s what will happen:

SW3# 
*Mar  1 00:17:14.431: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/16 on VLAN0001.

Normally this would cause a loop but luckily we have LoopGuard configured. You can see this error message appearing in your console, problem solved!

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

SW1

hostname SW1
!
spanning-tree loopguard default
!
end

SW2

hostname SW2
!
spanning-tree loopguard default
!
interface FastEthernet0/16
 spanning-tree portfast trunk
 spanning-tree bpdufilter enable
 udld port aggressive
!
end

SW3

hostname SW3
!
spanning-tree loopguard default
!
mac access-list extended UDLD-FILTER
 deny   any host 0100.0ccc.0ccc
 permit any any
!
interface FastEthernet0/16
 udld port aggressive
 mac access-group UDLD-FILTER in
!
end

If you want you don’t have to configure LoopGuard globally, you can also do it on the interface level like this:

SW3(config-if)#spanning-tree guard loop

The other protocol we can use to deal with unidirectional link failures is called UDLD (UniDirectional Link Detection). This protocol is not part of the spanning tree toolkit but it does help us to prevent loops.

Simply said UDLD is a layer 2 protocol that works like a keepalive mechanism. You send hello messages, you receive them and life is good. As soon as you still send hello messages but don’t receive them anymore you know something is wrong and we’ll block the interface.

Let’s use the same topology but configure UDLD this time. Don’t forget to get rid of loopguard first…

SW1(config)#udld ?      
  aggressive  Enable UDLD protocol in aggressive mode on fiber ports except
              where locally configured
  enable      Enable UDLD protocol on fiber ports except where locally
              configured
  message     Set UDLD message parameters

There are a number of methods how you can configure UDLD. You can do it globally with the udld command but this will only activate UDLD for fiber links!

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
Full Access to our 643 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

459 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Previous Lesson
Spanning-Tree RootGuard

Next Lesson
Spanning-Tree Dispute

Tags: Security

Forum Replies

dondruja2525 says:

Hello Renne,

Does UDLD will work from cisco 4500 to a 3rd party switch (IBM g8264)

-I configured the cisco 4500 on a normal mode and on the other side, the port is also on the normal mode
-tried to filter the mac address for udld but the port is still operational.

Do you think that when udld is deployed on cisco with a non cisco equipment, will they still use the udld mac address you mentioned or it is cisco proprietary?

Thank you.
ReneMolenaar says:
Hi Thomas,
1. Nope, once something happens on either side…the link will go down. There’s no separate transmit or receive connect with copper links. One topic that is related that you might like is BFD:
https://networklessons.com/cisco/ccie-routing-switching/bidirectional-forwarding-detection-bfd/
1. You should use it on the blocking (alternate) ports but also on root ports, basically any port that could be in blocking mode if the topology changes. You can enable it globally like I did.
2. Loopguard works based on BPDUs (L2 information). If a loopguard enabled no
... Continue reading in our forum
andajose says:

Hello Rene, my confusion regarding Loopguard, is when a switch is not receiving bpdus anymore on a alternate/blocking port. I understand that a blocking port does not receive bpdu until moves to forwarding state.

Can you please clarify this statement:" switch C is not receiving anymore bpdus in its alternate port" scnd paragraph below third picture.
lagapides says:

Wisam

My sincere apologies, I forgot to add the link. You can find the document here.

Laz
ReneMolenaar says:

Hi Ray,

This is no problem. Without loop guard, if a non-designated port stops receiving BPDUs then it goes through the listening > learning > forwarding state.

When you enable loop guard then a non-designated port that receives no BPDUs goes into a inconsistent state instead of going through the listening > learning > forwarding state. It does not affect designated ports.

Rene

29 more replies! Ask a question or join the discussion by visiting our Community Forum